On Fri, 01 Jul 2016, Joanna Delaporte wrote:
I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am
starting to wonder if I don't have HBAC rules set up correctly. I
installed freeIPA with --no_hbac_allow.
I have an HBAC service defined as an nfs service:
$ ipa hbacsvc-add --desc="NFS service" nfs
I have an HBAC rule that allows all users to access all services on a group
of hosts. My nfsclient is in that group.
Is that enough to allow users rights to mount nfs shares? Do I need some
sort of HBAC between the nfsclient and the nfsserver?
HBAC is not involved at all for NFS use. Remember, HBAC checks are run
by SSSD when it is called by PAM session setup. There is nothing like
that for NFS mounts.
Have you read http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA ?
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project